Threat Essentials Blog

Evolving ransomware tactics in Accellion FTA attacks

Accellion FTA vulnerability

Malicious actors have been targeting the legacy Accellion FTA system to access, exfiltrate, and leak data from victims since December 2020. Mandiant has identified UNC2546 as the actor behind these attacks, demanding payment to refrain from publishing them. When victims decline to pay, UNC2546 publishes their data on the “CL0P^_- LEAKS” website on the dark web.  

 

Accellion FTA victims

UNC2546 appears to be motivated by financial gain. Known victims so far, include Canadian airplane manufacturer Bombardier, the American Bureau of Shipping, Netherlands-based Fugro, life sciences company Danaher, Singapore’s state-owned telecommunications company SingTel, and Transport for New South Wales. 

These data exfiltration attacks are unusual in that the perpetrators did not install ransomware. This suggests a change in the tactics, techniques, and procedures (TTPs) of cybercriminals. It makes it more difficult for victims to detect anomalous behaviour in their systems as files are not encrypted. Victims are likely to remain unaware until they receive a demand for payment - or their files are uploaded to the Clop website. 

At Threat Essentials, we rapidly detect when customers’ data have been leaked before it attracts widespread public attention so that customers can respond proactively to the situation. 

How does Accellion FTA hack work

We’ve seen that there are currently 26 companies listed on the Clop website, 24 of whom have had data leaked beyond Proof of Compromise (PoC) files.  Some of the files have attracted more than 100,000 views - high by dark web standards. We have also noticed that since last week, the data of at least one target has been removed, suggesting a victim may have paid the ransom, or cybercriminals have purchased the data.  

We’ve also observed that the Accellion FTA leaks follow a similar pattern for nearly every target. Emails are usually published first; PoC files often consist of emails, confidential files, or passports; driving licences and photos of staff where available. In essence, it appears the most commercially sensitive documents and Personally Identifiable Information are published to apply pressure on victims who have declined to pay the ransom. In two most recent data leaks, only the victims’ PoCs have been uploaded. This suggests there is a delay between the uploading of PoCs and full publication of stolen data 

What we recommend?

If you can discover a PoC of your data before the full data leak occurs, you should be better placed to put mitigations in place before any of it becomes public. 


Proactively mitigate your cyber risk through Threat Essentialsunique threat intelligence platform by increasing awareness of any data that may have been exfiltrated surreptitiously Gain understanding of who has it, their motivations and what they intend to do with it before malicious actors can maximise their leverage over your data.

 

References

 Accellion provides update to fta security incident following mandiant’s preliminary findings

Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion

Accellion Data Breach Resulted in Extortion Attempts Against Multiple Victims

Transport for NSW confirms data taken in Accellion breach

Accellion FTA Zero-Day Attacks Show Ties to Clop Ransomware, FIN11